1Password & Hashcat

The folks at Hashcat have some interesting observations about 1Password. The folks at 1Password have a response, and I think there’s all sorts of fascinating lessons here.

The crypto conversations are interesting, but at the end of the day, a lot of security is unavoidably contributed by the master password strength. I’d like to offer up a simple contribution. Agilebits should make two non-cryptographic changes in addition to any crypto changes.

These relate to the human end of the issue, and how real humans make decisions. That is, picking a master password is a one time event, and even if there’s a strength meter, factors of memorability, typability, etc all come into play when the user selects a password when first installing 1Password.

Those human factors are not good for security, but I think they’re addressable.

First, the master password entry screens should display the same password strength meter that’s displayed everywhere else. It’s all well and good to discuss in a blog post that people need strong master passwords, but the software should give regular feedback about the strength of that master password. Displaying a strength meter each time it’s entered creates some small risk of information disclosure via shoulder-surfing, and adds pressure to make it stronger.

Second, they should make it easier to change the master password. I looked around, couldn’t figure out how to do so in a few minutes. [Update: It’s in preferences, security. I thought I’d looked there, may have missed it.]


If master passwords are so important, then it’s important for the software to help its customers get them right.

There’s an interesting link here to “Why Johnny Can’t Encrypt.” In that 1999 paper, Whitten and Tygar made the point that all the great crypto in PGP couldn’t protect its users if they didn’t make the right decisions, and making those decisions is hard.

In this case, the security of password vaults depends not only on the crypto, but also on the user interface. Figuring out the mental models that people have around password storage tools, and how the interface choices those tools make develop those mental models is an important area, and deserves lots of careful attention.

I swear, I’m just looking at the articles!

Apparently, Playboy (possibly NSFW) has an app on iTunes. However, to get an app through the censors prudes “appropriate content” editors, there’s none of Playboy’s trademark nudes.

The Playboy app on ITunes

There hasn’t been such good news for their writers since the braille edition.

I’ll leave the jokes to you.

It’s worth thinking about this as the sanitized future if companies like Apple get to decide what we read or look at on the devices we buy.

Gamifying Driving

P90115441 highRes 640x419

…the new points system rates the driver’s ability to pilot the MINI with a sporty yet steady hand. Praise is given to particularly sprightly sprints, precise gear changes, controlled braking, smooth cornering and U-turns executed at well-judged speeds. For example, the system awards maximum Experience Points for upshifts carried out within the ideal rev range and in less than 1.2 seconds. Super-slick gear changes prompt a “Perfect change up” message on the on-board monitor, while a “Breathtaking U-turn” and a masterful touch with the anchors (“Well-balanced braking”) are similarly recognised with top marks and positive, MINI-style feedback.

For more, see “MINI Connected Adds Driving Excitement Analyser.”

Now, driving is the most dangerous thing most of us do on a regular basis. Most Americans don’t get any supplemental driving instruction after they turn 17. So maybe there’s actually something to be said for a system that incents people to drive better.

I can’t see any possible issues with a game pushing people towards things that are undesirable in the real world. I mean, I’m sure that before suggesting a U-turn, the game will use the car’s adaptive cruise control radar to see what’s around, even if the car doesn’t have one.

Privacy, Facebook and Fatigue

Facebook’s new Graph search is a fascinating product, and I want to use it. (In fact, I wanted to use it way back when I wrote about “Single Serving Friend” in 2005.)

Facebook’s Graph Search will incent Facebook users to “dress” themselves in better meta-data, so as to be properly represented in all those new structured results. People will start to update their profiles with more dates, photo tags, relationship statuses, and, and, and…you get the picture. No one wants to be left out of a consideration set, after all. (“Facebook is no longer flat“, John Battelle)

But privacy rears its predictable head, not just in the advocacy world:

Independent studies suggest that Facebook users are becoming more careful about how much they reveal online, especially since educators and employers typically scour Facebook profiles.

A Northwestern University survey of 500 young adults in the summer of 2012 found that the majority avoided posting status updates because they were concerned about who would see them. The study also found that many had deleted or blocked contacts from seeing their profiles and nearly two-thirds had untagged themselves from a photo, post or check-in. (“Search Option From Facebook Is a Privacy Test“, NYTimes)

Perhaps a small set of people will, as Batelle suggests, slow down their use of ironic, silly, or outraged likes, but the fundamental problem is that such uses are situated in a context, and when those contexts overlap, their meanings are harder to tease out with algorithms. People engage with systems like Yelp or LinkedIn in a much more constrained way, and in that constraint, make a much simpler set of meanings. But even in those simple meanings, ‘the street finds its own uses for things.’ For example, I get the idea that this 5-star review may be about something more than the design on a shirt.

There’s another study on “Facebook Fatigue:”

Bored or annoyed by Facebook? You’re not alone. A majority of people surveyed by the Pew Internet and American Life Project said they had taken sabbaticals from the social network at some point, to escape the drama, or the tedium. (“Study: Facebook fatigue — it’s real“, Jennifer Van Grove, CNet)

When our nuanced and evolved social systems are overlaid with technology, it’s intensely challenging to get the balance of technology and social right. I think the Pew research shows that Facebook has its work cut out for it.

Should I advertise on Twitter?

Apparently Twitter sent me some credits to use in their advertising program. Now, I really don’t like Twitter’s promoted tweets — I’d prefer to be the customer rather than the product. (That is, I’d like to be able to give Twitter money for an ad-free experience.)

At the same time, I’m curious to see how the advertising system works. I’d like to understand it and blog about it, but Twitter would like to maintain confidentiality around the program. They’re engaged in white-hot competition with Facebook and Google to be the new advertising platform of the future. At the same time, it’s less transparency than the exceptionally high bar that Twitter has generally aspired to.

That said with the launch of Control-Alt-Hack, my collaborators have stuff to sell and give away. (Not to mention maybe a sales bump for The New School of Information Security?) Or maybe I could promote other books that I think people should read, like “Thinking, Fast and Slow“). Does the nature of what I’m advertising change the calculus? Would advertising the giveaway make it different?

Then again, I do lots of “advertising” on Twitter already–I advertise the book, the game, blog posts, ideas I like. Does paying to bring them to more people dramatically change the equation?

Interestingly (and I think this is something that can be discussed, because it’s visible), I’m offered the chance to promote both tweets and myself.

I’d be really interested in hearing from readers about how I should take advantage of this, and if I should take advantage of it at all.

Now Available: Control Alt Hack!

Amazon now has copies of Control Alt Hack, the card game that I helped Tammy Denning and Yoshi Kohno create. Complimentary copies for academics and those who won copies at Blackhat are en route.


From the website:

Control-Alt-Hack™ is a tabletop card game about white hat hacking, based on game mechanics by gaming powerhouse Steve Jackson Games (Munchkin and GURPS).

Age: 14+ years
Players: 3-6
Game Time: Approximately 1 hour

You and your fellow players work for Hackers, Inc.: a small, elite computer security company of ethical (a.k.a., white hat) hackers who perform security audits and provide consultation services. Their motto? “You Pay Us to Hack You.”

Your job is centered around Missions – tasks that require you to apply your hacker skills (and a bit of luck) in order to succeed. Use your Social Engineering and Network Ninja skills to break the Pacific Northwest’s power grid, or apply a bit of Hardware Hacking and Software Wizardry to convert your robotic vacuum cleaner into an interactive pet toy…no two jobs are the same. So pick up the dice, and get hacking!

Lessons from Facebook’s Stock Slide

So as Facebook continues to trade at a little over half of their market capitalization of 3 months ago, I think we can learn a few very interesting things. My goal here is not to pick on Facebook, but rather to see what we can take away and perhaps apply elsewhere. I think there are three key lessons that we can take away:

  • The Privacy Invasion Gnomes are Wrong
  • Intent Beats Identity
  • Maximizing your IPO returns may be a short term strategy

Let me start with the “Privacy Invasion Gonmes.” The short form of their strategy is:

  1. Gather lots of data on people
  2. ???
  3. Profit

This is, of course, a refinement of the original Gnome Strategy. But what Facebook shows us is:

The Privacy Invasion Gnomes are Wrong

Gathering lots of data on people is a popular business strategy. It underlies a lot of the advertising that powers breathless reporting on the latest philosophical treatise by Kim Kardashian or Paris Hilton.

But what Facebook shows us is that just gathering data on people is actually insufficient as a business strategy, because knowing that someone is a a Democrat or Republican just isn’t that valuable. It’s hard to capitalize on knowing that a user is Catholic or Mormon or Sikh. There’s a limit to how much money you make being able to identify gays who are still in the closet.

All of which means that the security industry’s love affair with “identity” is overblown. In fact, I’m going to argue that intent beats identity every time you can get it, and you can get it if you…keep your eye on the ball.

Intent beats Identity

The idea that if you know someone, you can sell them what they need is a powerful and intuitive one. We all love the place where everyone knows your name. The hope that you can translate it into an algorithm to make it scale is an easy hope to develop.

But many of the businesses that are raking in money hand-over foot on the internet aren’t doing that. Rather, they’re focused on what you want right now. Google is all about that search box. And they turn your intent, as revealed by your search, into ads that are relevant.

Sure, there’s some history now, but fundamentally, there’s a set of searches (like “asbestos” and “car insurance”) that are like kittens thrown to rabid wolves. And each of those wolves will pay to get you an ad. Similarly, Amazon may or may not care who you are when they get you to buy things. Your search is about as direct a statement of intent as it gets.

Let me put it another way:
Internet company revunue per user

The graph is from Seeking Alpha’s post, “Facebook: This Is The Bet You Are Making.”

So let me point out that two of these companies, Facebook and LinkedIn, have great, self-reinforcing identity models. Both use social pressure to drive self-representation on the site to match self-representation in various social situations. That’s pretty close to the definition of identity. (In any event, it’s a lot closer than anyone who talks about “identity issuance” can get.) And both make about 1/9th of what Google does on intent.

Generally in security, we use identification because it’s easier than intent, but what counts is intent. If a fraudster is logging into Alice’s account, and not moving money, security doesn’t notice or care (leaving privacy aside). If Alice’s husband Bob logs in as Alice, that’s a failure of identity. Security may or may not care. If things are all lovey-dovey, it may be fine, but if Bob is planning a divorce, or paying off his mistress, then it’s a problem. Intent beats identity.

Maximizing your IPO returns may be a short term strategy

The final lesson is from Don Dodge, “How Facebook maximized the IPO proceeds, but botched the process.” His argument is a lot stronger than the finger-pointing in “The Man Behind Facebook’s I.P.O. Debacle“. I don’t have a lot to add to Don’s point, which he makes in detail, so you should go read his piece. The very short form is that by pricing as high as they did, they made money (oodles of it) on the IPO, and that was a pretty short-term strategy.

Now, if Facebook found a good way to get intent-centered, and started making money on that, botching the IPO process would matter a lot less. But that’s not what they’re doing. The latest silliness is using your mobile number and email to help merchants stalk find you on the site. That program represents a triumph of identity thinking over intent thinking. People give their mobile numbers to Facebook to help secure their account. Facebook then violates that intent to use the data for marketing.

So, I think that’s what we can learn from the Facebook stock slide. There may well be other lessons in an event this big, and I’d love to hear your thoughts on what they might be.

Mozilla’s Vegan BBQ

The fine folks at Mozilla have announced that they’ll be hosting a BBQ in Dallas to thank all their supporters. And the cool thing about that BBQ is it’s gonna be vegan by default. You know, vegan. No animal products. It’s good for you. It’s the right default. They’ll have dead cow burgers, but you’ll have to find the special line.

Obviously, I’m just kidding. Mozilla isn’t hosting a vegan BBQ in Dallas, but they are hosting one for your browsing privacy, by their choice for the “Do Not Track” (DNT) setting.

Poll after poll shows that people around the world prefer privacy, in the same sort of way they prefer cow burgers. This preference is stable, extending back decades, and being shown in nearly every poll. So why is Mozilla defaulting to not setting DNT?

Meanwhile, [some participants in] the W3C [working group are] is suggesting that the best we can possibly do is whenever you install a new browser, it goes through an Eliza-like process of interviewing you about weird technical settings, rather than having a great first-run experience.

Now it’s true, some people are ok with a tradeoff between what advertisers want (to trade content for ads) and what they want (privacy). Some advertisers go so far as to claim that there would be no content without ads, and they are, simply, flatly wrong. There is and will continue to be, content like this, which I hope you’re enjoying. I’ll draw to your attention that this blog is ad-free. We write because we have ideas we want to share. I’m sure that with fewer ads, we’d see less Paris Hilton ‘content’. But more importantly, the advertising industry is good at spreading messages. If they need DNT “off”, perhaps they could spread the message of why that’s a good thing for people, and, as is their wont and charter, convince people to make that change.

But the simple truth, known to the ad industry, the W3C and to Mozilla, is that most people prefer not to be tracked, in the same way most people prefer beef burgers. The “please let us track you” people have a hard message to spread, which is why they prefer to fight in relative obscurity over defaults.

Some additional background links: “Ad industry whines while privacy wonks waffle,” “Could the W3C stop IE 10’s Do Not Track plans?

I should be clear that my distaste at the idea of a vegan BBQ is mine. Even if my employer and I both prefer beef burgers, my opinions are mine, theirs are theirs, and I didn’t cook this blog up with them.

[Update: Clarified that I didn’t mean to imply the decision was that of the W3C as a whole.]

Please Kickstart Elevation of Privilege

Jan-Tilo Kirchhoff asked on Twitter for a printer (ideally in Germany) to print up some Elevation of Privilege card sets. Deb Richardson then suggested Kickstarter.

I wanted to comment, but this doesn’t fit in a tweet, so I’ll do it here.

I would be totally excited for someone to Kickstarter production of Elevation of Privilege. Letting other people make it, and make money on it, was an explicit goal of the Creative Commons license (CC-BY-3.0) that we selected when we released the game.

So why don’t I just set up a Kickstarter? In short, I think it’s a caesar’s wife issue. I think there’s a risk that it looks bad for me to decide to release things that Microsoft paid me to do, and then make money off of them.

Now, that impacts me. It doesn’t impact anyone else. I would be totally excited for someone else to go make some cards and sell them. I would promote such a thing, and help people find whatever lovely capitalist is doing it. I would be happy to support a Kickstarter campaign, and would be willing to donate some of my time and energy with things like signing decks, doing a training sessions, or whatnot. I even have some joker cards that you could produce as a special bonus item.

So, if you think Elevation of Privilege is cool, please, go take advantage of the license we released it under, and go make money with it.

[Update: I don’t have exact numbers, but have seen quotes for quantities around 5,000 decks, production might be around $2-3 a deck. At smaller quantities, you might end up around $5-7 a deck. YMMV. So a Kickstarter in the range of $5-10K would probably be workable, although you’d certainly want to think about shipping and handling costs.]

How to get my vote for the ACM Board

I’m concerned about issues of research being locked behind paywalls. The core of my reason is that research builds on other research, and wide availability helps science move forward. There’s also an issue that a great deal of science is funded by taxpayers, who are prevented from seeing their work. One of the organizations which locks science behind a paywall is the ACM. As it turns out, the ACM is having elections, and I’m a member, so I thought maybe I could usefully vote on this issue. So I went to the ACM website to see what’s being said on it. Here’s what I had to go through to find the answer:

  • Are the elections important enough to be listed on the home page? Apparently not.
  • Maybe it’s an issue of importance to the ACM Membership? Nah.
  • Maybe I can find something about it on ACM US? That’s actually the “public policy” arm.
  • So perhaps it’s a matter of who will be on Boards and Committess? No, that points to this page, which is highly informative.
  • Maybe it’s under MyACM? Nope
  • Ahhh! Finally, it’s under Membernet: here

And it turns out that there’s no one running for the board of the ACM who’s running on open access issues. That’s too bad.

So let me be very clear. I’m a one-issue voter for academic societies. I believe that open access to science is a key part of everything that these societies should be doing, and it’s the only part that involves change to the business, and thus controversey.

If you want my vote, run on an open access platform.

(If you’re not familiar with the arguments for open access, see The Open Access Pledge site, The Cost of Knowledge site, or this faculty memo from the library of a small college in Cambridge, Mass.)

[Update: Don’t miss the comment by Brighten Godfrey, who’s been reaching out to the candidates, and gathering their positions.]

More on Real Name Policies

There were a couple of excellent posts about Google+ which I wanted to link in, but the post took a different path:

  • Google+ and The Trouble With Tribbles

    The trouble with social is that it is social – with all the norms, behaviors and expectations that come with that. You cannot re-engineer that overnight (Facebook is being far more successful in doing so using far more insidious means). Facebook also has a policy of Real Names, but it realizes that to make the social work you have to cater to the psychology of the users. So there are no identity verification processes, no automatic suspension of accounts and schemes that entice us to provide real data instead of telling us to do so. The fidelity of the data is proven by it’s socially verified reputation, not because there is a policy document that can be pointed to (at the end of the day, a much more robust and legitimate mechanism).

  • For Ceorl Onlyone, thanks…

    “As I’ve said previously, I left Facebook and Google+ because I could see the direction and I discerned the narrowing that indicates both subtle and direct attacks upon choice and privacy. I left because my presence was a reason for my family, friends, and peers to remain.

  • The Social Graph is Neither.”
    There’s no clear pull quote, but boy is this a great de-construction of the phrase (and product name) “the social graph”. Read it carefully, and you’ll never hear those words the same way.

  • In a number of places, including “Take back the comments: stop online harassment” and comment on “Why it Matters: Google+ and Diversity, part 2,” Kathy Sierra says:

    Keep the pseudonyms and lose the assholes.

Previously: “Google+ Failed Because of Real Names” and “Yes, Google+ Is a Failure

Yes, Google+ Is a Failure

One of the most common bits of feedback about my post “Google+ Failed Because of Real Names” is that Google+ is now a huge service, and that the word failed is an exaggeration, or a trick of the rhetorician.

Some folks might advise me to stop digging a hole, put down the shovel and walk away. But
I’m going to pick up that shovel, and try to convince you that I’m not exaggerating. Google+ may not be a New Coke level failure, it may be a successful failure, but it’s a failure nonetheless.

The goal of Google+ is to dominate the social network space, replacing Facebook, LinkedIn and Twitter, and building a moat around Google’s core business of advertising. That moat ought to consist of Google having more information about you than the CIA does (ok, that’s hyperbole. The CIA can’t store that much info). The moat ought to be that Google can show your wallet-name ads that tug at your wallet-strings.

Do you really think that Google wanted to enter this market to play second-fiddle to Facebook? Do you think that Google is happy that Facebook is going to pop out in the biggest IPO in history real soon now, giving them a massive war chest?

I think that the answer is fairly obviously a no. Now, you could argue that Google+ is en route to topple Facebook. That Google will take three tries to get it right or something, like they did with Search and Mail and Maps. (Oh, wait, they didn’t take three tries on any of those.)

What’s more, I don’t think that no was pre-ordained because of Facebook’s massive user-base. People were willing to show up at Google+ and explore. And that exploration rapidly foundered on the nymwars.

I think the system could and should have done better, if Google wasn’t so hell-bent on controlling what name people could display for themselves.

Google+ Failed Because of Real Names

It’s now been a few months since the launch of Google+, and it’s now fairly clear that it’s not a mortal threat to Facebook, or even Orkut. I think it’s worth thinking a bit about why Google+ isn’t doing better, despite its many advantages. Obviously, Google wants to link Google+ profiles to things in the physical world that matter to its paying customers: advertisers. To me, the most interesting part is how the real name issue acted as a lens, focusing attention on Google’s plans for the service, the horse-trade Google is asking people to make, and Google’s weighting of a communications platform versus having an online Disneyland where nothing offensive is allowed.

There’s a lot that Google gets right in Google+, most notably the idea of circles. Circles could be a great way for Google to mirror how people interact, and let them present different things to different sets of people, under their control. It’s a simple, understandable metaphor.

But Google hasn’t derailed Facebook, because Google shot themselves in the foot at launch. That’s why TechCrunch has articles like “Raise Your Hand If You’re Still Using Google+.” Let’s be clear, this was an own-goal, and it was avoidable. I know of at least two Googlers who left because they felt Google wasn’t living up to its own values in the internal debate. Google has put their desire to have a real-name driven internet ahead of their user’s desires. Maybe a free name change would make that ok? But it’s not ok, and name changes won’t make it ok.

Within days of Google+ being launched, the positive press was being driven out by stories about the “Nymwars.” A lot of it revolved around Google having claims that your displayed name could be what people called you, but as Skud clearly documented, that was a bizarre and bureaucratic lie. But documenting up your “government name” isn’t enough, as people like 3ric have documented. (It’s pronounced “Three-Rick,” and that’s how I’ve always known him.)

As bad as it is to tell people what they can write on the “Hello, My Name is” badges, it’s worse to be inconsistent and upsetting around something as personal as a name, or to tell someone that a Capulet they’ll no longer be. The very worst part is that Google managed to do it at the wrong time.

What Google did by focusing attention on “real names” when they did was to take attention from the really cool aspects of Google+, and draw it to an emotionally laden set of battles that they can’t win. They managed to calm the waters a bit by declaring that they’d “support” other names, leading to this awesome bit of politically-incorrect-calling-bullshit: “EFF declares premature victory in Nymwars.”

Another way to see this is Google knowingly burned an awful lot of goodwill with one of their key communities, techies. The way that they did it hampered Google+ during its launch, preventing it from getting the momentum it probably deserved.

They did all that in order to get one unique name for everyone. Oops, wait, there’s lots of people named Mike Jones. They did it to get name that links to “the real world you.” They wanted to get a commercial advantage for Google, at the expense of people’s ability to choose how they present themselves.

It hasn’t worked out, and yesterday, Google announced the next set of changes. (EFF has some comments in “Google+ and Pseudonyms: A Step in the Right Direction, Not the End of the Road.”)

Most interesting to me, Yonatan Zunger, Chief Architect of Google+ says:

We thought this was going to be a huge deal: that people would behave very differently when they were and weren’t going by their real names. After watching the system for a while, we realized that this was not, in fact, the case. (And in particular, bastards are still bastards under their own names.) We’re focusing right now on identifying bad behaviors themselves, rather than on using names as a proxy for behavior.

That’s gotta hurt.

The key takeaway: Google spent a huge amount of goodwill on an attractive, but untested idea, which Yonatan summarizes as “Bastards won’t be bastards under their real name.” (As an aside, there’s a lean startup lesson there, but Google has yet to pivot.) You shouldn’t make the same mistake.

Names are personal. They shouldn’t be subject to policies for vague, untested reasons. They shouldn’t be subject to policies at all unless your idea is even better than Google can do. Don’t make your new thing fail by sacrificing it on the altar of real names.

Some follow-on posts: “Yes, Google+ Is a Failure” and “More on Real Name Policies.”

Best autoresponse message

As Brad Feld says, this is the best auto-responder in a long time:

I am currently out of the office on vacation.

I know I’m supposed to say that I’ll have limited access to email and won’t be able to respond until I return — but that’s not true. My blackberry will be with me and I can respond if I need to. And I recognize that I’ll probably need to interrupt my vacation from time to time to deal with something urgent.

That said, I promised my wife that I am going to try to disconnect, get away and enjoy our vacation as much as possible. So, I’m going to experiment with something new. I’m going to leave the decision in your hands:

If your email truly is urgent and you need a response while I’m on vacation, please resend it to interruptyourvacation@example.com and I’ll try to respond to it promptly.

If you think someone else at First Round Capital might be able to help you, feel free to email my assistant, Fiona (fiona@firstround.com) and she’ll try to point you in the right direction.

Otherwise, I’ll respond when I return…

Warm regards,

It avoids any lies, and drives responsibility and choice onto the sender. You can learn a lot about senders this way. It’s probably better than many background checks.